cleanup

.github/workflows/smoke.yml

@@ -52,4 +52,12 @@ jobs:
       working-directory: ./.github/workflows/smoke
       run: NAME="smoke-p256" ./smoke.sh
 
+    - name: setup docker image for fips140
+      working-directory: ./.github/workflows/smoke
+      run: NAME="smoke-fips140" CURVE=P256 GOFIPS140=v1.0.0 LDFLAGS=-checklinkname=0 ./build.sh
+
+    - name: run smoke-fips140
+      working-directory: ./.github/workflows/smoke
+      run: NAME="smoke-fips140" ./smoke.sh
+
     timeout-minutes: 10

Makefile

@@ -120,10 +120,6 @@ bin-pkcs11: BUILD_ARGS += -tags pkcs11
 bin-pkcs11: CGO_ENABLED = 1
 bin-pkcs11: bin
 
-bin-fips140: GOENV += GOFIPS140=v1.0.0
-bin-fips140: LDFLAGS += -checklinkname=0
-bin-fips140: bin
-
 bin:
 	$(GOENV) go build $(BUILD_ARGS) -ldflags "$(LDFLAGS)" -o ./nebula${NEBULA_CMD_SUFFIX} ${NEBULA_CMD_PATH}
 	$(GOENV) go build $(BUILD_ARGS) -ldflags "$(LDFLAGS)" -o ./nebula-cert${NEBULA_CMD_SUFFIX} ./cmd/nebula-cert
@@ -219,6 +215,14 @@ ifeq ($(words $(MAKECMDGOALS)),1)
 	@$(MAKE) service ${.DEFAULT_GOAL} --no-print-directory
 endif
 
+fips140:
+	@echo > $(NULL_FILE)
+	$(eval GOENV += GOFIPS140=v1.0.0)
+	$(eval LDFLAGS += -checklinkname=0)
+ifeq ($(words $(MAKECMDGOALS)),1)
+	@$(MAKE) fips140 ${.DEFAULT_GOAL} --no-print-directory
+endif
+
 bin-docker: bin build/linux-amd64/nebula build/linux-amd64/nebula-cert
 
 smoke-docker: bin-docker
@@ -240,5 +244,5 @@ smoke-vagrant/%: bin-docker build/%/nebula
 	cd .github/workflows/smoke/ && ./smoke-vagrant.sh $*
 
 .FORCE:
-.PHONY: bench bench-cpu bench-cpu-long bin build-test-mobile e2e e2ev e2evv e2evvv e2evvvv proto release service smoke-docker smoke-docker-race test test-cov-html smoke-vagrant/%
+.PHONY: bench bench-cpu bench-cpu-long bin build-test-mobile e2e e2ev e2evv e2evvv e2evvvv fips140 proto release service smoke-docker smoke-docker-race test test-cov-html smoke-vagrant/%
 .DEFAULT_GOAL := bin

README.md

@@ -143,17 +143,24 @@ To build nebula for a specific platform (ex, Windows):
 
 See the [Makefile](Makefile) for more details on build targets
 
-## Curve P256 and BoringCrypto
+## Curve P256, BoringCrypto and FIPS 140-3 mode
 
 The default curve used for cryptographic handshakes and signatures is Curve25519. This is the recommended setting for most users. If your deployment has certain compliance requirements, you have the option of creating your CA using `nebula-cert ca -curve P256` to use NIST Curve P256. The CA will then sign certificates using ECDSA P256, and any hosts using these certificates will use P256 for ECDH handshakes.
 
-In addition, Nebula can be built using the [BoringCrypto GOEXPERIMENT](https://github.com/golang/go/blob/go1.20/src/crypto/internal/boring/README.md) by running either of the following make targets:
+Nebula can be built using the [BoringCrypto GOEXPERIMENT](https://github.com/golang/go/blob/go1.20/src/crypto/internal/boring/README.md) by running either of the following make targets:
 
 ```sh
 make bin-boringcrypto
 make release-boringcrypto
 ```
 
+Nebula can also be built using the [FIPS 140-3](https://go.dev/doc/security/fips140) mode of Go by running either of the following make targets:
+
+```sh
+make fips140
+make fips140 release
+```
+
 This is not the recommended default deployment, but may be useful based on your compliance requirements.
 
 ## Credits

noise.go

@@ -25,6 +25,11 @@ func NewNebulaCipherState(s *noise.CipherState) *NebulaCipherState {
 
 }
 
+type cipherAEADDanger interface {
+	EncryptDanger(out, ad, plaintext []byte, n uint64, nb []byte) ([]byte, error)
+	DecryptDanger(out, ad, plaintext []byte, n uint64, nb []byte) ([]byte, error)
+}
+
 // EncryptDanger encrypts and authenticates a given payload.
 //
 // out is a destination slice to hold the output of the EncryptDanger operation.
@@ -35,20 +40,25 @@ func NewNebulaCipherState(s *noise.CipherState) *NebulaCipherState {
 //     be re-used by callers to minimize garbage collection.
 func (s *NebulaCipherState) EncryptDanger(out, ad, plaintext []byte, n uint64, nb []byte) ([]byte, error) {
 	if s != nil {
-		// TODO: Is this okay now that we have made messageCounter atomic?
-		// Alternative may be to split the counter space into ranges
-		//if n <= s.n {
-		//	return nil, errors.New("CRITICAL: a duplicate counter value was used")
-		//}
-		//s.n = n
-		nb[0] = 0
-		nb[1] = 0
-		nb[2] = 0
-		nb[3] = 0
-		noiseEndianness.PutUint64(nb[4:], n)
-		out = s.c.(cipher.AEAD).Seal(out, nb, plaintext, ad)
-		//l.Debugf("Encryption: outlen: %d, nonce: %d, ad: %s, plainlen %d", len(out), n, ad, len(plaintext))
-		return out, nil
+		switch ce := s.c.(type) {
+		case cipherAEADDanger:
+			return ce.EncryptDanger(out, ad, plaintext, n, nb)
+		default:
+			// TODO: Is this okay now that we have made messageCounter atomic?
+			// Alternative may be to split the counter space into ranges
+			//if n <= s.n {
+			//	return nil, errors.New("CRITICAL: a duplicate counter value was used")
+			//}
+			//s.n = n
+			nb[0] = 0
+			nb[1] = 0
+			nb[2] = 0
+			nb[3] = 0
+			noiseEndianness.PutUint64(nb[4:], n)
+			out = s.c.(cipher.AEAD).Seal(out, nb, plaintext, ad)
+			//l.Debugf("Encryption: outlen: %d, nonce: %d, ad: %s, plainlen %d", len(out), n, ad, len(plaintext))
+			return out, nil
+		}
 	} else {
 		return nil, errors.New("no cipher state available to encrypt")
 	}
@@ -56,12 +66,17 @@ func (s *NebulaCipherState) EncryptDanger(out, ad, plaintext []byte, n uint64, n
 
 func (s *NebulaCipherState) DecryptDanger(out, ad, ciphertext []byte, n uint64, nb []byte) ([]byte, error) {
 	if s != nil {
-		nb[0] = 0
-		nb[1] = 0
-		nb[2] = 0
-		nb[3] = 0
-		noiseEndianness.PutUint64(nb[4:], n)
-		return s.c.(cipher.AEAD).Open(out, nb, ciphertext, ad)
+		switch ce := s.c.(type) {
+		case cipherAEADDanger:
+			return ce.DecryptDanger(out, ad, ciphertext, n, nb)
+		default:
+			nb[0] = 0
+			nb[1] = 0
+			nb[2] = 0
+			nb[3] = 0
+			noiseEndianness.PutUint64(nb[4:], n)
+			return s.c.(cipher.AEAD).Open(out, nb, ciphertext, ad)
+		}
 	} else {
 		return []byte{}, nil
 	}

noiseutil/fips140.go

@@ -14,10 +14,15 @@ import (
 )
 
 // EncryptLockNeeded indicates if calls to Encrypt need a lock
-// This is true for boringcrypto because the Seal function verifies that the
+// This is true for fips140 because the Seal function verifies that the
 // nonce is strictly increasing.
 const EncryptLockNeeded = true
 
+// TODO: Use NewGCMWithCounterNonce once available:
+// - https://github.com/golang/go/issues/73110
+// Using tls.aeadAESGCM gives us the TLS 1.2 GCM, which also verifies
+// that the nonce is strictly increasing.
+//
 //go:linkname aeadAESGCM crypto/tls.aeadAESGCM
 func aeadAESGCM(key, noncePrefix []byte) cipher.AEAD
 
@@ -32,19 +37,17 @@ func (c cipherFn) CipherName() string             { return c.name }
 // CipherAESGCM is the AES256-GCM AEAD cipher (using aeadAESGCM when fips140 is enabled)
 var CipherAESGCM noise.CipherFunc = cipherFn{cipherAESGCM, "AESGCM"}
 
+// tls.aeadAESGCM uses a 4 byte static prefix and an 8 byte nonce
 var emptyPrefix = []byte{0, 0, 0, 0}
 
 func cipherAESGCM(k [32]byte) noise.Cipher {
-	// c, err := aes.NewCipher(k[:])
-	// if err != nil {
-	// 	panic(err)
-	// }
 	gcm := aeadAESGCM(k[:], emptyPrefix)
 	return aeadCipher{
 		gcm,
 		func(n uint64) []byte {
-			var nonce [12]byte
-			binary.BigEndian.PutUint64(nonce[4:], n)
+			// tls.aeadAESGCM uses a 4 byte static prefix and an 8 byte nonce
+			var nonce [8]byte
+			binary.BigEndian.PutUint64(nonce[:], n)
 			return nonce[:]
 		},
 	}
@@ -62,3 +65,14 @@ func (c aeadCipher) Encrypt(out []byte, n uint64, ad, plaintext []byte) []byte {
 func (c aeadCipher) Decrypt(out []byte, n uint64, ad, ciphertext []byte) ([]byte, error) {
 	return c.Open(out, c.nonce(n), ciphertext, ad)
 }
+
+func (c aeadCipher) EncryptDanger(out, ad, plaintext []byte, n uint64, nb []byte) ([]byte, error) {
+	binary.BigEndian.PutUint64(nb[4:], n)
+	out = c.Seal(out, nb[4:], plaintext, ad)
+	return out, nil
+}
+
+func (c aeadCipher) DecryptDanger(out, ad, ciphertext []byte, n uint64, nb []byte) ([]byte, error) {
+	binary.BigEndian.PutUint64(nb[4:], n)
+	return c.Open(out, nb[4:], ciphertext, ad)
+}